MA-155.042009: MyCERT Alert - phpMyAdmin Code Execution Vulnerability 1.0 Introduction Several vulnerabilities have been identified in phpMyAdmin setup script used to generate the configuration. Using a crafted POST request, an attacker can trick the setup script to include arbitrary PHP code in generated configuration file. Combined with privilege to save files on server, this can allow unauthenticated users to execute arbitrary PHP code. 2.0 Impact An attacker can exploit this vulnerability to inject and execute arbitrary malicious PHP code in the context of the webserver process. This may facilitate a compromise of the application and the underlying system, unauthorized disclosure of information, unauthorized modification and also disruption of service. 3.0 Affected Products Below is the details list of vulnerable version: - For phpMyAdmin 2.11.x: versions before 2.11.9.5.
- For phpMyAdmin 3.x: versions before 3.1.3.2.
4.0 Recommendation MyCERT highly recommends that users of this application upgrade to the latest version of phpMyAdmin. The update can be obtained via this URL:
http://www.phpmyadmin.net/home_page/downloads.php Please consider the following to ensure that your phpMyadmin installation are not exploited: - Follow the installation best-practices and delete the setup scripts after a successful installation.
- Protect your phpMyAdmin directory with .htaccess
MyCERT can be reached at: E-mail : mycert@mycert.org.my
Phone : +603 89926969 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : +60 19 2813801 (24x7 SMS reporting)
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web: http://www.mycert.org.my 5.0 References |
